Zimmer Posted May 28, 2009 Share Posted May 28, 2009 Ok I have been doing some simple webpages and wanted to put some easter eggs in it. So one of them it a login page but I didn't want people to be able to change the code allowing the password to be different. I don't have acsess to server side scripting so I decided to try some stuff with JavaScript. function validate_login(AESText, SHA_RU, SHA_RP) { //AESText - Encrypted URL //SHA_RU - Real Username SHA //SHA_RP - Real Password SHA //Confirm Login Secure I think, I hope, but I don't know //Username //938di389e var password = document.getElementById('password').value//Retrievs User Entered Pass var username = document.getElementById('username').value//Retrievs User Entered Username var SHA_Pass = SHA1(password)//Calculates SHA of USER PASS var SHA_User = SHA1(username)//Calculates AHS of USER USERNAME if (SHA_Pass == SHA_RP && SHA_User == SHA_RU)//Confirmes Correct Pass Word SHA_RU, SHA Real User SHA_RP, SHA Real Pass { var pass = password+'3kx'+username//Sets the pass to decrypt AESText var text = AESDecryptCtr(AESText , pass , 256)//Tries to decrypt AESText //Don;t need to pass and user are correct so decryption correct --> if (sha_text == AES_R_SHA)//Compares the sha of the attempted decryption and the real sha hash of decryption //alert(SHA1(text)) //alert(sha_text) //alert(text) location.href = text//Redirect } else { location.href = 'denied.html'//If decryption not correct redirect to denied.html } } With this code it takes the url to redirect to if the user and pass are correct as an AES encrypted string. It also takes the real password and usernames SHA1 Hash. Then I get the user's inputted pass and username. I create the SHA1's of those inputs and compare them. IF they are correct I then use the inputted pass and username to create a key to decrypt the AES text. I did have it compare the AES SHA1 Hashes but I figure if the pass and user SHA1 hashes are correct that so will the AES key and then the text. it then redirects to the now decrypted url. if any of these check fail it redirects to denied.html. I see several vulnerabilities. 1) Brute forcing all the urls on the server and finally finding the url, so I figure this is more obscurity. 2)Brute Force the SHA1 Hashes or AES Key to decrypt the AES text. 3) A vulnerability I don't think would work is injecting the wrong SHA1 hashes because even if they worked the input password and username still would not produce the wrong AES Key. Anyone else see any way to solve these problems or see any other possibilities. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.